I recently spoke at a CW500 event on enterprise security architecture as an opportunity to close the gap between the business needs and the capabilities of the information security profession, writes Mark Brown. It was well-attended and led to some interesting discussion among attendees, mostly security professionals. The discussion continued after the main event and one question was on the lips of every speaker: “Does the industry truly understand what we are saying?”

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

I have been pondering this for a couple of weeks now. I remain convinced that, unfortunately, most infosec professionals remain focused on “keeping the lights on”. In other words, they operate in an IT comfort zone, rather than accepting they need to adapt to a new progressive approach to information security that aligns it to business requirements.

Enterprise security architecture, in its many guises – Togaf, Zachman and Sabsa are but a few frameworks – provides an opportunity for information security professionals to identify with and embed themselves in the wider business. In doing so they will be forced to review how they enhance effectiveness across business strategic intent and become an enabler, rather than be seen as one who puts up obstacles to the business.

The obvious question is, if the means to achieve a new approach to information security are there and known to our profession, why are we not operating an information security management system aligned to enterprise security architecture?

Ernst & Young’s latest Global Information Security Survey identified that 85% of UK companies surveyed believed their information security function was not meeting the needs of their business. 62% of companies surveyed, on the other hand, accepted their information security function was not aligned to enterprise architecture and 40% of respondents accepted that information security was not aligned to enterprise risk appetites.

So there is an issue here to tackle for which we need a new role for the information security professional in a modern organisation. In my experience, our colleagues that truly become part of their organisation are focused on three key issues:

Optimising its financial performance and minimise financial risk;

Protecting the brand reputation of the business;

Protecting and enhancing customer loyalty.

So where does keeping company information systems and information secure come in?

Those responsibilities are still under their remit, but they should be accepted as a tactical component of a larger requirement that will enable businesses to operate their customer base safely and securely.

To take that step and close the gap between what the business requires and what our profession currently offers, moral courage will be required across our industry. We must be brave and recognise our failings and accept that, to survive as a necessary component of the business, we must first understand what it is trying to achieve.

If we want to be accepted as a crucial member around the decision-making table, to be recognised as leaders not followers, we must embrace change and redesign our approach to information security. As a profession we must demonstrate how we can deliver business results through our function. Instead of looking at the existing landscape and how they can rework it, information security functions should undertake a fundamental redesign, allowing for innovation and incorporating new technologies.

Our expert teams can get there by following a few simple steps:

Identify the real risks: An effective strategy will include technologies and issues such as cloud, social media, big data, mobile computing, globalisation and borderless, rather than just “bolt-ons”;

Protect what matters most: An information security framework should assume that breaches will occur and so planning and protecting is more important than detecting and responding;

Embed information security in the business: All employees, functions, business units, projects and so on have a role to play and should understand the risks;

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy